In a post on its blog, cyber-security research firm said FireEye said its researchers first discovered the iOS vulnerability they call Masque Attack back in July. The post states, “an iOS app installed using enterprise / ad-hoc provisioning could replace another genuine app installed through the App Store, as long as both apps used the same bundle identifier.”
Details on the Masque Attack vulnerability
The firm states that the in-house app could have a title that’s arbitrary, such as “New Flappy Bird,” which attracts iOS users and convinces them to install it. The app is then able to replace another real app after the user installs it on their iPhone or iPad. The Masque Attack hole apparently allows any real app to be replaced except for those that come preinstalled on iOS devices.
According to the firm’s post, iOS does not require certificates to match apps with the same bundle identifier. FireEye identified the same issue on iOS 7.1.1, 7.1.2, 8.0, 8.1 and the beta version of iOS 8.1.1. Both jailbroken and non-jailbroken devices are apparently vulnerable to this type of attack, which can be launched both over USB and wireless networks.
Apple notified about Masque Attack
FireEye apparently notified Apple about the vulnerability all the way back on July 26, which means the company has supposedly been aware of it long before the final version of iOS 8.0 was even pushed out to the public. It seems as if Apple didn’t think this huge hole was enough of a concern to close it quickly.
Not long ago, another researcher revealed what’s called the WireLurker malware problem. FireEye researchers began to look into that vulnerability and say that it began to use a limited form of the Masque Attack hole they discovered to attack iOS devices over USB.
Bigger than WireLurker
However, they add that the full form of Masque Attacks can do much more than the WireLurker malware because they can replace real apps like email and banking apps. The vulnerability also allows hackers in through the internet. This means it doesn’t take much to steal an iOS user’s banking login information by installing malware on an iOS device to replace a real banking app, using the same UI so that the user is completely unaware that anything has happened.
According to FireEye, the malware is even able to gain access to the local data from the original app because that local data wasn’t removed when the malware replaced the real app. The data that can be accessed could include emails that have been cached or login tokens that can be used to gain access to a user’s account.